List signature method and application to electronic voting

ABSTRACT

The invention concerns a list signature method comprising: an organization phase whereby reliable authority defines parameters for implementing an anonymous electronic signature; a phase which consists in registering persons on a list of authorized members to generate a list signature, during which each person calculates a private key, and the reliable authority delivers to each person a certificate for membership of the list; a phase which consists in defining a serial number; a phase wherein a member of the list generates by means of certificate a signature containing an element common to all the signatures issued by one single member with one single serial number; a phase which consists in verifying whether the signature has been generated by a member of the list and whether the serial number has been used to generate the signature.

The present invention relates to the general field of security ofservices accessible through a digital data transmission network, andmore specifically to the field of electronic signature.

It notably, but not exclusively, applies to electronic voting or even toelectronic petition.

The electronic signature of a message implements a mechanism pertainingto so-called asymmetric cryptography: the signatory, who has a secreteor private key and an associated public key, may produce a messagesignature by means of the secrete key. To verify the signature, it issufficient to have the public key.

In certain applications like electronic voting, the signatory should beable to remain anonymous. For this purpose, the so-called anonymouselectronic signature has been developed enabling with the help of apublic key to determine whether the signatory of a message has certainrights (rights to sign the message, rights to have the secrete key usedfor signing the message, etc.) while preserving the anonymity of thesignatory. In addition, in voting or electronic petition applications,each authorized person should be able to sign only once.

Among anonymous signatures, there is also what is called the blindsignature allowing a person to obtain a signature of a message fromanother entity, without the latter having to know the contents of themessage, and being able to establish later the link between thesignature and the identity of the signatory. This blind signaturesolution therefore requires the intervention of an intermediate entitywho produces the signatures. In applications such as voting andelectronic petition, each solution involves an empowered authority whosigns the vote of each voter or the petition for each petitioner.

The concept of a group signature has also been proposed which enableseach member of a group to produce a signature so that a verifier havingan adequate public key may verify whether the signature was issued by amember of the group without being able to determine the identity of thesignatory.

This concept is described for example in document:

[1] “A Practical and Provably Secure Coalition-Resistant Group SignatureScheme”, of G. Ateniese, J. Camenisch, M. Joye and G. Tsudik, in M.Bellare, Editor, Advance in Cryptology—CRYPTO 2000, vol. 1880 of LNCS,pp. 255-270, Springer-Verlag 2000.

However, in this concept, a reliable authority may at any moment breakthis anonymity and determine the identity of a person of the grouphaving issued a signature. In addition, this type of signature is saidto be “non linkable”, i.e. it does not allow one to determine whethertwo signatures were or not issued by the same person, without breakingthe anonymity of the signature. Group signatures are used in manyapplications, such as electronic auctions, electronic cash, or evenelectronic voting. Group signature is utterly unsuitable for the latterapplication as it authorizes a reliable authority to access the identityof a signatory, and it does not allow the linking of two signaturesissued by a same person without determining the identity of thesignatory. In addition, document [1] does not provide any process forrevoking a member of the group.

To remedy the latter drawback, document [2] “Efficient Revocation ofAnonymous Group membership Certificates and Anonymous Credentials” of J.Camenisch and A. Lysysanskaya, published by Cryptologie ePrint ArchiveIACR, 2002, provides the adding of a revocation process to this concept(this document will also be published by M. Jung, Editor CRYPTO 2002,Springer-Verlag 2002). However, this solution does not provide asolution to the problems of preserving the anonymity of the signatory,and “linkability” of two signatures.

In an electronic voting application, it is further necessary to ensuresecurity approaching traditional voting at the very most, in order toguarantee the following properties.

Nobody should be capable of knowing the results of the poll evenpartially before its closing. Everybody should be able to be persuadedof the validity of the final result of the poll. Finally, an empoweredauthority should be able to withdraw or revoke the voting right of aperson.

Whether one is dealing with off-line voting, i.e. with the use of anelectronic voting machine, set up in a polling station or inon-line-voting, i.e., remotely, via the Internet network for example,the presently proposed systems, using a group signature as described indocument [1] and completed in document [2], do not meet theseconditions, except for revoking the right of signature.

Moreover, application of the blind signature concept to electronicvoting is a solution for which implementation is awkward, as the voteris compelled to logon several times at each election. In addition, ifthe poll backfires, the person responsible for this cannot bedetermined: either a voter or the organizer of the poll.

The concept of mixer networks has also been proposed, notably indocument [3] “Untraceable Electronic Mail Return Addresses and DigitalPseudonym” of D. Chaum, ACM 1981, each mixer being a function producinga list of numbers decrypted from a list of encrypted numbers, whileconcealing the match between the encrypted and decrypted numbers.Applied to electronic voting, this technique has the major drawback ofnot allowing the validity of a vote to be verified without compromisingthe secret thereof.

In document [4] “A secure and Optimal Efficient Multi-Authority ElectionScheme”, of Cramer, Gennaro, and Schoenmakers, Eurocrypt'97,LNCS—Springer-Verlag, so-called homomorphic encryption is describedenabling basic calculations to be performed on encrypted numbers.Solutions based on this method however are not applicable to pollsinvolving a large number of voters.

The object of the present invention is to get rid of this drawback. Thisgoal is achieved by providing a list signature method comprising atleast:

an organizing phase consisting, for a reliable authority, of definingparameters for implementing an anonymous electronic signature, includinga private key and a corresponding public key,

a phase of registering persons in a list of members authorized togenerate an electronic signature specific to the members of the list,during which each person to be recorded calculates a private key withthe help of the parameters provided by the reliable authority and ofparameters randomly selected by the person to be registered, and thereliable authority delivers a list membership certificate to each personto be registered,

a signing phase during which a member of the list generates and issues asignature specific to the members of the list, this signature beingbuilt in order to contain proof that the member of the list havingissued the signature, has a list membership certificate, and

a phase of verifying the issued signature comprising steps for applyinga predefined algorithm in order to show the proof that the signature wasissued by a person having a list membership certificate.

According to the invention, this method further comprises:

a phase of defining a series consisting, for a reliable authority, ofgenerating a serial number to be used in the signature phase, asignature generated during the signature phase comprising a signatureelement which is common to all the signatures issued by a same member ofthe list with a same serial number and which contains proof that theserial number was used for generating the signature, the verifying phasefurther comprising a step of verifying the proof that the serial numberwas used for generating the signature;

a phase of revoking a member of the list in order to remove a memberfrom the list, during which the reliable authority removes the member tobe removed from the list and updates the parameters for implementing theanonymous electronic signature, in order to take into account theremoval of the member from the list; and

a phase of updating the certificates of the members of the list in orderto take into account changes in the composition of the list.

According to one embodiment of the invention, the organizing phasecomprises definition of a common parameter depending on the compositionof the list, the phase of registering a person in the list, comprisingthe definition of a parameter specific to the person to be registeredwhich is calculated according to the parameter depending on thecomposition of the list, and which is integrated into the certificatehanded out to the person, the registering phase comprising a step ofupdating the common parameter depending on the composition of the list,a phase of revoking a member of the list comprising a step of changingthe common parameter depending on the composition of the list, in orderto take into account the removal of the member from the list, and thephase of updating certificates of the members of the list including astep of updating the parameter specific to each member of the list inorder to take into account changes in the composition of the list.

According to an embodiment of the invention, a signature specific to amember of the list and having the certificate [A_(i), e_(j)] comprisesparameters T₁, T₂, T₃, such that:T ₁ =A _(i) b ^(ω) (mod n),T ₂ =g ^(ω) (mod n),T ₃ =ge _(i) h ^(ω) (mod n),where ω is a randomly selected number during the signature phase, and b,g, h, and n are general parameters for implementing the group signature,such that parameters b, g and h cannot be inferred from each other byinteger power raising modulo n functions, so that the number A_(i) andtherefore the identity of the member of the list having the certificate[A_(i), e_(j)] cannot be inferred from a signature issued by the member.

Preferably, the number of a series used for generating a list signatureis calculated according to a beginning date of the series.

Advantageously, the function for calculating the number of a series isin the form:F(d)=(H(d))² (mod n)where H is a collision-resistant hash function, d is the beginning dateof the series, and n is a general parameter for implementing the groupsignature.

According to an embodiment of the invention, the parameter T₄ of asignature issued by a member of the list and depending on the serialnumber m and on the private key x_(i) of the signatory member isobtained from the following formula:T ₄ =m ^(x) ^(i) (mod n)n being a general parameter for implementing the group signature and thesignature comprising the proof that the parameter T₄ was calculated withthe private key x_(i) of the member of the list who issued thesignature.

The invention also relates to an electronic voting method comprising aphase for organizing the elections, during which an organizing authorityproceeds with generating parameters required for a poll, and assignskeys to the scrutineers, allowing them to decrypt and verify ballots, aphase of assigning a signature right to each of the voters, a votingphase during which the voters sign a ballot, and a counting phase duringwhich the scrutineers verify the ballots and calculate the result of thepoll according to the contents of the decrypted and valid ballots.

According to the invention, this method implements a list signaturemethod as defined hereinbefore, for signing ballots, each voter beingregistered as a member of a list, and a serial number being generatedfor the poll, in order to detect whether a same voter has issued severalballots for the poll or not.

According to one embodiment of the invention, the organizing phasecomprises the handing out of a public key and a private key to eachscrutineer, the ballots being encrypted with a public key obtained bythe product of the respective public keys of all the scrutineers, andthe corresponding decryption private key being obtained by calculatingthe sum of the respective private keys of all the scrutineers.

Advantageously, encryption of the ballots is carried out with aprobabilistic encryption algorithm.

According to one embodiment of the invention, the ballots issued by thevoters are stored in a public database, the result of the verifying andcounting of each ballot being stored in the database associated with theballot, and the private key for decrypting the ballots being published.

A preferred embodiment of the invention will be described hereafter, asa non-limiting example, with reference to the appended drawings wherein:

FIG. 1 illustrates a system for implementing the list signature andelectronic voting methods according to the invention;

FIGS. 2-8 illustrate as flow diagrams, the various procedures which areexecuted in accordance with the list signature and electronic votingmethod according to the invention.

The present invention proposes a list signature method wherein all theauthorized persons, i.e. belonging to the list, may produce a signaturewhich is anonymous, and anybody is able to verify the validity of thesignature without having access to the identity of the member of thelist who signed.

Such a method may be implemented in the system illustrated in FIG. 1.This system comprises terminals 2 made available to the users andconnected to a digital data transmission network 5 such as the Internetnetwork. Advantageously, each terminal 2 is connected to a chip card 7reader 8. Via the network 5, users may log on to a server 6 givingaccess to information for example stored in a database 4. This systemalso comprises a computer 1 of a reliable authority who notably deliverschip cards 7 to the users.

The list signature method according to the invention repeats in thegroup signature method described in the referenced document [1], thefollowing procedure:

a procedure for organizing a group of signatories, which consists ofsetting up various parameters and required public keys,

a registration procedure wherein a person to be registered in the groupreceives from a reliable authority a right of signature, i.e. anauthorized private key and certificate,

an actual signing procedure during which a person having a signatureright signs a message, and

a verifying procedure consisting of applying a verification algorithm toa signature in order to verify whether the signature was produced by aperson having a signature right.

The invention further provides an arrangement for guaranteeing theanonymity of a signatory, even with respect to a reliable authority, aswell as a series organizing procedure consisting of defining a serialnumber to be used for generating list signatures, the verification of asignature further comprising a step of verifying whether the signatureis unique for a given serial number.

The method according to the invention may also include a revocationprocedure as defined in referenced document [2]. With this revocationprocedure, a reliable authority may remove from a member of the list,the signature rights which were assigned to him/her earlier, from theidentity of the member. The setting up of this revocation possibilityinvolves execution by the members of the list of an updating procedureduring which the members of the list update their certificates in orderto take into account the changes (addition or removals) made in the listof the persons authorized to sign.

FIG. 2 illustrates the different steps of the organizing procedure 10executed on the computer 1 of the reliable authority.

According to the referenced document [1], this procedure consists ofselecting 11 the following integers:ε>1, k, l_(p),λ₁, λ₂, γ₁, γ₂, which are the lengths of the integers in numbers ofbits, with:λ₂>41_(p)   (1)λ₁>ε(λ₂ +k)+2   (2)γ₂>λ₁+2   (3)γ₁>ε(γ₂ +k)+2   (4)and of defining the sets of following integers:Λ=]2^(λ) ¹ −2^(λ) ² , 2^(λ) ¹ +2^(λ) ² ], andΓ=]2^(γ) ¹ −2^(γ) ² , 2^(γ) ¹ +2^(γ) ² ].

This procedure also consists of selecting a collision-resistant hashfunction H such that a binary sequence of any length marked as {0, 1}*is transformed into a binary sequence of length k marked as {0, 1}^(k).

Next, the computer 1 of the reliable authority randomly generates instep 12, prime numbers p′ and q′ with size l_(p), such that p=2p′+1 andq=2q′+1 and q=2q′+1, are also prime numbers. Next, it computes in step13 module n=pq and randomly generates in step 14, integers a, a₀, b, gand h, in the set QR(n) of quadratic residues of n, i.e. the set ofintegers y such that y=x² (mod n), x being an integer. It is thenconsidered that the public key PK of the reliable authority consists ofthe series of integers (n, a, a₀, b, g, h) and that the private key ofthe latter consists of the series of integers (p′, q′).

In order to be registered by the reliable authority, a user wishing tobecome a member of the list executes the procedure 20 illustrated inFIG. 3, on his/her terminal 2. Execution of this procedure engages adialog with the computer 1 of the reliable authority which then executesa procedure 20′. Procedure 20 first of all comprises a step 21 forrandomly generating integers {tilde over (x)}_(i) et {tilde over (r)},respectively intervals ]0, 2^(λ) ² ] and ]0, n²[. From these integers,an integer C₁ is calculated 22 such that:C ₁ =g ^({tilde over (x)}) ^(i) h ^({tilde over (r)})(mod n)   (5)

In step 23, the proof of the knowledge of both numbers α and β (i.e.{tilde over (x)}_(i) et {tilde over (r)}) is built such thatC₁=g^(α)h^(β) (mod n).

Such a proof is formed for example by randomly selecting two integers r₁and r₂ in the set of signed binary numbers with ε(21_(p)+k) bits, markedas ±{0, 1}^(ε(21) ^(p) ^(+k)), and by calculating the following numbers:d ₁ =g ^(r) ¹ h ^(r) ² (mod n),   (6)c=H(g∥h∥C ₁ ∥d ₁),   (7)wherein the ∥ symbol represents the concatenation operator,s ₁ =r ₁ −cα,   (8)s ₂ =r ₂ −cβ.   (9)s₁ and s₂ being relative integers.

The proof U is then equal to (c, s₁, s₂, C₁).

The number C₁ and the proof U are then sent to the reliable authoritywho in step 21′, verifies proof U and whether C₁ is in the QR(n) set ofquadratic residues of n.

In the previous example, verification of the proof consists ofcalculating:t ₁ =C ₁ ^(c) g ^(s) ¹ h ^(s) ² (mod n), and   (10)c′=H(g∥h∥C ₁ ∥t ₁).   (11)

The proof is established if c′=c and if s₁ and s₂ belong to the set ±{0,1}^(ε(21) ^(p) ^(+k)+1).

If such is the case, the computer 1 of the reliable authority, randomlygenerates in step in 22′ two integers α_(i), β_(i) in the interval ]0,2^(λ) ² [, and sends these numbers to the terminal 2 of the user. Inprocedure 20, the terminal of the user then calculates in step 24 theintegers x_(i) and C₂ by applying the following formulae:x _(i)=2^(λ) ¹ +(α_(i) {tilde over (x)} _(i)+β_(i)(mod2^(λ) ² )), and  (12)C ₂ =a ^(x) ^(i) (mod n).   (13)

Next, the following proofs are built in step 25 (for example accordingto the same principle as proof U):

the proof V of having a number α belonging to set Λ such that:C ₂ =a ^(α) (mod n)   (14)

the proof W of having three numbers β, γ, δ, such that β ε ]−2^(λ) ² ,2^(λ) ² [, andC ₂ /a ^(λ) ² =a ^(β), and   (15)C ₁ ^(α) ^(i) g ^(β) ^(i) =g ^(β)(g ² ^(λ) ² )^(γ) h ^(δ)  (16)

C₂ and proofs V and W are then sent to the computer 1 of the reliableauthority who verifies 23′ the proofs V and W and whether C₂ belongs toset QR(n). If such is the case, it randomly generates 24′ a prime numbere_(i), belonging to set Γ and applies the following formula:A _(i)=(C ₂ a ₀)^(1/e) ^(i) (mod n)   (17)and sends back to the user, integers A_(i) and e_(i), considered as acertificate [A_(i), e_(j)] for the user's membership of the list.

Computer 1 then generates 26′ a new entry in a table of members of thelist, for example in the database 4, in which is stored the certificate[A_(i), e_(j)] for changes in the list (for example revocations ofmembers), and preferably for messages exchanged between the reliableauthority and the user, during this procedure for registering the user.

Moreover, the user may verify 26 the authenticity of the receivedcertificate by verifying that the following equation is satisfied:a ^(x) ^(i) a ₀ =A _(i) ^(e) ^(i) (mod n)   (18)

At the end of this registration procedure 20, the user therefore has aprivate key x_(i) and a certificate [A_(i), e_(i)] of membership of thelist, which for example are stored in a chip card 7.

With such a certificate, the user may generate a signature of a messageM belonging to set {0, 1}*.

For this purpose, the reliable authority publishes according to theinvention, a serial number m, randomly selected in set QR(n). Thisnumber will have to be used by the members of the list for signing amessage during a given series. The respective numbers of differentseries must not be linkable. In particular, it should be impossible tocalculate a discrete logarithm of a given serial number, relatively tothe base of another serial number, i.e. it should not be possible topractically calculate integers x and y, such as:

m^(x)=m′^(y)(mod n), m and m′ being serial numbers.

This serial number m may be calculated according to the date of thebeginning of the series: m=F(date). For example this function F ischosen to be equal to:F(d)=(H′(d))² (mod n)   (19)

where H′, a collision-resistant hash function, such as a binary sequenceof any length marked as {0, 1}*, is transformed into a binary sequencewith length 21_(p) marked as {0, 1}²¹ ^(p) . It is therefore easy toverify the validity of the serial number by applying formula (19).

The procedure for signing a message is designed so that a user may showthat he/she has a member certificate and a member private key and thathe/she uses the proper serial number.

To sign a message M, a member of the list must execute, for example onhis/her chip card 7, connected to a terminal 2 and storing his/hercertificate [A_(i), e_(i)] and his/her private key x_(i), a signatureprocedure 30 illustrated in FIG. 4. This procedure first of allcomprises a step 31 for randomly generating a number ω belonging to theset {0, 1}²¹ ^(p) .

It further comprises a step 32 consisting of calculating the followingnumbers from ω:T ₁ =A _(i) b ^(ω) (mod n),   (20)T ₂ =g ^(ω) (mod n),   (21)T ₃ =g ^(e) ^(i) h ^(ω) (mod n).   (22)

According to the invention, the following number is also calculated:T ₄ =m ^(x) ^(i) (mod n)   (23)

In the next step 33, numbers r₁ in the set of signed binary numbers withε(γ₂+k) bits, marked as ±{0, 1}^(ε(γ) ² ^(+k)), r₂ in the set ±{0,1}^(ε(λ) ² ^(+k)), r₃ in the set ±{0, 1}^(ε(γ) ¹ ⁺²¹ ^(p) ^(+k+1)), andr₄ in the set ±{0, 1}^(ε(21) ^(p) ^(+k)) are randomly generated. Then instep 34, the following quantities are calculated:d ₁ =T ₁ ^(r) ¹ /(a ^(r) ² y ^(r) ³ ) (mod n)   (24)d ₂ =T ₂ ^(r) ¹ /g ^(r) ³ (mod n)   (25)d ₃ =g ^(r) ⁴ (mod n)   (26)d ₄ =g ^(r) ¹ h ^(r) ⁴ (mod n) (27)

According to the invention the following number is also calculated:d ₅ =m ^(r) ² (mod n) (28)

Then, in step 35 the following numbers are calculated:c=H(m∥b∥g∥h∥a ₀ ∥a∥T ₁ ∥T ₂ ∥T ₃ ∥T ₄ ∥d ₁ ∥d ₂ ∥d ₃ ∥d ₄ ∥d ₅ ∥M),  (29)wherein ∥ represents the concatenation operation,s ₁ =r ₁ −c(e _(i)−2^(γ) ¹ ),   (30)s ₂ =r ₂ −c(x _(i)−2^(λ) ¹ ),   (31)s ₃ =r ₃ −ce _(i)ω,   (32)s ₄ =r ₂ −cω,   (33)

s₁, s₂, s₃, s₄ being relative integers.

The signature finally consists of the set of following numbers:(c, s₁, s₂, s₃, s₄, T₁, T₂, T₃, T₄)   (34)

which for example is issued by the network 5.

Verification of a signature of a message M takes place by executing theprocedure 40 illustrated in FIG. 5. This procedure first of allcomprises in step 41, the calculation of the following numbers:t ₁ =a ₀ ^(c) T ₁ ^(s) ¹ ^(−c2) ^(γ) ¹ /(a ^(s) ² ^(−c2) ^(λ) ¹ b ^(s) ³)(mod n)   (35)t ₂ =T ₂ ^(s) ¹ ^(−c2) ^(γ) ¹ /g ^(s) ³ (mod n)   (36)t ₃ =T ₂ ^(c) g ^(s) ⁴ (mod n)   (37)t ₄ =T ₃ ^(c) g ^(s) ¹ ^(−c2) ^(γ) ¹ h ^(s) ⁴ (mod n)   (38)

According to the invention, it also comprises the calculation of thefollowing numbers:t ₅ =T ₄ ^(c) m ^(s) ² ^(−c2) ^(λ) ¹ (mod n)   (39)c′H(m∥b∥g∥h∥a ₀ ∥a∥T ₁ ∥T ₂ ∥T ₃ ∥T ₄ ∥t ₁ ∥t ₂ ∥t ₃ ∥t ₄ ∥t ₅ ∥M),  (40)

The signature is authentic if the following conditions are met in step42:c′=c   (41)s ₁∈±{0, 1}^(ε(γ) ² ^(+k)+1)   (42)s ₂∈±{0, 1}^(ε(λ) ² ^(+k)+1)   (43)s ₃∈±{0, 1}^(ε(γ) ¹ ⁺²¹ ^(p) ^(+k+1)+1)   (44)s ₄∈{0, 1}^(ε(21) ^(p) ^(+k)+1)   (45)

If these conditions are not met, the signature is not valid (step 45).

In addition, by accessing all the signatures which have been producedduring a given sequence, for example in the database 4, in step 43 itmay easily be verified with parameter T₄ whether a member of the listhas signed several times: all the signatures issued by a member of thelist comprise a parameter T₄ with the same value for a given serialnumber.

It should further be noted that a member cannot cheat by using anothervalue as T₄ is strongly linked to T₁. Indeed, the formula forcalculating T₁ may also be written as follows:T ₁ ^(e) ^(i) =a ₀ a ^(x) ^(i) b ^(ωe) ^(i) (mod n)   (46)

If T₄ is already in the set of signatures issued for a given serialnumber, it is inferred from this that the signature was already issuedby a member of the list for this serial number (step 46).

In order to include a possibility for revoking a member of the list, themethod which has just been described may be changed in the followingway.

The procedure for organizing 10 the list further comprises in step 14,the random selection of a number u belonging to set QT(n), and thedefinition of two sets E_(add) and E_(del) which are empty initially.

The public key PK of the reliable authority then consists of thesequence of integers (n, a, a₀, b, g, h, u) and of sets E_(add) andE_(del).

During the registration procedure 20, 20′, the computer 1 of thereliable authority assigns in step 25′, the u_(i) parameter to the newmember U_(i) of the list, this parameter being such that u_(i)=u, andupdates the value of the u parameter by replacing this value with u^(e)^(i) .

The certificate of the new member then groups together integers A_(i),e_(i) and u_(i), this certificate being stored in step 26′ for futurechanges and transmitted to the new member.

The reliable authority also introduces the number e_(i) assigned to thenew member in the set E_(add).

Upon receiving his/her certificate, the new member further verifieswhether:u _(i) ^(e) ^(i) =u (mod n)   (47)

The other members U_(j) of the list must then execute an updatingprocedure in order to take into account the arrival of a new member andtherefore the change in the list parameter u. This procedure consists ofrecalculating their u_(j) parameter as follows:u _(j) =u _(j) ^(e) ^(i) (mod n)   (48)

In this way, relationship (47) is always met for all the pairs (u_(j),e_(j)) of all the members of the list.

The procedure for revoking a member U_(k) of the list whose certificateis (A_(k), e_(k), u_(k)) for the reliable authority consists of changingthe u parameter as follows:u=u ^(1/e) ^(k) (mod n)   (49)and of introducing parameter e_(k) into set E_(del).

In addition, each unrevoked member U_(j) of the list should take intoaccount this revocation (change in the parameter u) by recalculatinghis/her u_(j) parameter as follows:u _(j) =u _(j) ^(b) u ^(a) (mod n)   (50)a and b being such that ae_(j)+be_(k)=1.

In order to determine a and b, it is sufficient to apply the extendedEuclid algorithm consisting of carrying out a series of Euclidiandivisions.

It should be noted that the revoked member (having e_(k)) cannotdetermine a and b with formula (50) which becomes e_(k)(a+b)=1, and sorecalculate the u_(k) parameter.

During the signing procedure 30 by a member of the list, in step 31,numbers W₁, W₂ and W₃, with a binary length equal to 21_(p), i.e.belonging to the set {0, 1}²¹ ^(p) must further be selected randomly,and the following numbers must be calculated in step 32:T ₅ =g ^(e) ^(i) h ^(w) ¹ (mod n)   (51)T ₆ =u _(i) h ^(w) ² (mod n)   (52)T ₇ =g ^(w) ² h ^(w) ³ (mod n)   (53)

Numbers r₅, r₆, r₇ belonging to the set ±{0, 1}^(ε(21) ^(p) ^(+k)), andnumbers r₈ and r₉ belonging to the set ±{0, 1}^(ε(γ) ¹ ⁺²¹ ^(p)^(+k+1)), must also be selected randomly and then the following numbersmust be calculated in step 34:d ₆ =g ^(r) ¹ h ^(r) ⁵ (mod n)   (54)d ₇ =g ^(r) ⁶ h ^(r) ⁷ (mod n)   (55)d ₆ =T ₆ ^(r) ¹ /h ⁸ ⁸ (mod n)   (56)d ₉ =T ₇ ^(r) ¹ /(g ^(r) ⁸ h ^(r) ⁹ ) (mod n)   (57)

Number c then includes the following elements:c=H(m∥b∥g∥h∥a ₀ ∥a∥T ₁ ∥T ₂ ∥T ₃ ∥T ₄ ∥T ₅ ∥T ₆ ∥T ₇ ∥d ₁ ∥d ₂ ∥d ₃ ∥d ₄∥d ₅ ∥d ₆ ∥d ₇ ∥d ₈ ∥d ₉ ∥M)   (59)

In step 35, the following needs to be calculated:s ₅ =r ₅ −cw ₁   (59)s ₆ =r ₆ −cw ₂   (60)s ₇ =r ₇ −cw ₃   (61)s ₈ =r ₈ −ce _(i) w ₂   (62)s ₉ =r ₉ −ce _(i) w ₃   (63)

The signature then consists of the set of following numbers:(c, s₁, S₂, s₃, s₄, s₅, s₆, s₇, s₈, s₉, T₁, T₂, T₃, T₄, T₅, T₆, T₇).  (64)

The procedure 40 for verifying a signature then further comprises thecalculation of the following numbers in step 41:t ₆ =T ₅ ^(c) g ^(s) ¹ ^(−c2) ^(γ1) h ^(s) ⁵ (mod n)   (65)t ₇ =T ₇ ^(c) g ^(s) ⁶ h ^(s) ⁷ (mod n)   (66)t ₈ =u ^(c) T ₆ ^(c) g ^(s) ¹ ^(−c2) ^(γ1) /h ^(s) ⁸ (mod n)   (67)t ₉ =T ₇ ^(s) ¹ ^(−c2) ^(γ1) /(g ^(s) ⁸ h ^(s) ⁹ ) (mod n)   (68)c′=H(m∥b∥g∥h∥a ₀ ∥a∥T ₁ ∥T ₂ ∥T ₃ ∥T ₄ ∥T ₅ ∥T ₆ ∥T ₇ ∥t ₁ ∥t ₂ ∥t ₃ ∥t₄ ∥t ₅ ∥t ₆ ∥t ₇ ∥t ₈ ∥t ₉ ∥M)   (69)

The signature is authentic if the following addition conditions are metin step 42:s ₅∈±{0,1}^(ε(21) ^(p) ^(+k)+1,)   (70)s ₆∈±{0, 1}^(ε(21) ^(p) ^(+k)+1)   (71)s ₇∈±{0, 1}^(ε(21) ^(p) ^(+k)+1)   (72)s ₈∈±{0, 1}^(ε(γ1+21) ^(p) ^(+k+1)+1), and   (73)s ₉∈±{0, 1}^(ε(γ1+21) ^(p) ^(+k+1)+1)   (74)

It should be noted that unlike the group signature described in document[1], it is not possible for the reliable authority to find out theidentity of a signatory, i.e. number A_(i) of the signatory certificatefrom a list signature as described. Indeed, unlike the method describedin this document, the reliable authority does not use a private key xfor generating the b parameter, and therefore number A_(i) cannot beinferred from T₁ and T₂.

In addition, the signature generated by a revoked member U_(k) will bedetected as invalid. Indeed, parameter T₆ involves parameter u_(k),which was determined from the common parameter u, and parameter t₈ whichis calculated in order to verify the signature, also involves parameteru which was changed as a result of the revocation of member k. As aresult, upon verifying the signature, parameters T₆ and t₈ areinconsistent, and therefore the equality between c and c′ cannot beverified by the signature of member k.

The list signature method which has just been described may be appliedto an electronic voting method. The electronic voting method accordingto the invention comprises several phases, including the execution ofthe procedures of the list signature method described hereinbefore.

This method involves an intervention from the reliable authority 1organizing the elections, who executes for this purpose a procedure 50for organizing the poll. This procedure consists of generating the datarequired for the proper course of the election, a public databaseaccessible to all in which the ballots are collected. During theorganizing of the poll, scrutineers who will count the votes anddetermine the result of the election are also appointed.

The reliable authority first of all proceeds with generating variousparameters required for setting up a list signature, by executing theprocedure 10 for organizing signing of the list. The voters should beregistered beforehand in an election list for example in a town hall,and in order to receive all the data required for generating a listsignature, i.e. a private key x_(i), and a certificate (A_(i), e_(i),u_(i)). With these parameters, the voters may participate in all futureelections. This registration procedure may be executed between a chipcard 7 and a terminal 2, for example, the chip card storing thecertificate of the voter at the end of the procedure.

Before an election, the organizing authority proceeds with updating theelection list by executing procedure 20, 20′, for the newly registeredvoters, and by removing (revoking) list signature rights to all personscrossed out from the election registers (for example persons who haveleft the district or are deprived of their civil rights). Theserevocations are performed by executing the revocation proceduredescribed herein before. In step 51 of procedure 50, the organizingauthority also publishes a serial number required for setting up a newlist signature series, in order to prevent voters from voting (signing)twice in this election.

Moreover, the scrutineers will create 52 the required pairs ofpublic/private keys, so that they may all cooperate in order to be ableto decrypt an encrypted message with the public key. For this purpose,the cryptographic system set up is selected in order to allow a voter toencrypt a message (ballot) with at least one public key, while imposingcooperation of all the scrutineers to use the corresponding privatekey(s) and thus decrypt the message.

The sharing of the decryption private key among all the scrutineers maybe carried out in the following way.

Let us consider g, a generator of the cyclic group G. A respectiveprivate key x_(i) is assigned to each scrutineer i who calculates thenumber y_(i) belonging to G such that:y_(i)=g^(x) ^(i)   (75)

The public key Y to be used by the voters is obtained by the followingformula: $\begin{matrix}{Y = {\prod\limits_{i}y_{i}}} & (76)\end{matrix}$and the corresponding private key X shared by all the scrutineers i isthe following: $\begin{matrix}{X = {\sum\limits_{i}x_{i}}} & (77)\end{matrix}$

It is possible to obtain a similar result by proceeding with encryptionby using all the respective public keys of the scrutineers. Decryptionrequires knowing all the corresponding private keys.

Before going to vote, each voter should update his/her list signaturecertificate according to the change procedure described hereinbefore, bymeans of the parameters published earlier. If the voter has not beenstruck off the election list, this change may be made.

While the polling stations are open, each voter issues a ballot byexecuting a procedure 60 on a terminal. In step 61, the voter selectshis/her vote v_(i) and encrypts the latter by means of the public key ofthe scrutineers in order to obtain en encrypted vote D_(i). He/she thensigns the encrypted vote by means of the list signature method in orderto obtain a signature S_(i). The ballot consisting of the set (D_(i),S_(i)) of the vote and signature is then anonymously published in apublic database 4.

In step 62, encryption of the vote is achieved by using a probabilisticencryption algorithm (i.e. the probability that two encryptions of asame message are identical is quasi zero), such as the El Gamal orPaillier algorithm for example. If the El Gamal algorithm applies,encryption is carried out by calculating the following numbers:a_(j)=v_(j)Y^(r) et b_(j)=g^(r)   (78)where r is a random element. The encrypted vote v_(j) then consists ofthe pair D_(j)=(a_(j), b_(j)). The voter E_(j) then calculates 63 thelist signature of the encrypted vote S_(j)=Sig_(list)(a_(j)∥b_(j)),Sig_(list) being the list signature as described hereinbefore, byexecuting the procedure 30 with his/her chip card 7, which istransmitted to the terminal 2.

The voter E_(j) has just generated his/her ballot (D_(j), S_(j)) whichis sent 64 to the public database 4 by means of an anonymoustransmission channel, i.e. forbidding a linkage from a transmittedmessage to the issuer of the latter. The voter for this purpose may usea public terminal or a network of mixers.

At the end of the poll, the scrutineers carry out the counting of thevotes by executing procedure 70 on the terminal 3. This procedure firstof all consists of generating 71 the decryption private key X from theirrespective private keys x_(i) and with the help of formula (77). Then,in step 72, they access the public database 4 of the ballots in order toobtain the ballots (D_(i), S_(i)) and to decrypt them. The actualdecryption of the ballots consists of verifying 74 the signature s_(i)for each issued ballot (step 73), by executing the procedure 40 for listsignature verification as described hereinbefore, and if the signatureis valid and unique (step 75), of decrypting 76 the encrypted vote D_(j)by applying the following formula:v _(j) =a _(j) /b _(j) ^(x)   (79)

The thereby decrypted and verified votes v_(j) with the result of thecorresponding verification are introduced 77 into the database 4 of theballots, in association with the ballot (D_(j), S_(j)).

The decryption private key X is also published so that all may verifythe counting of the ballots.

Once all the ballots have been counted, this procedure 70 calculates theresult of the election in step 78 and updates the public database of theballots by writing this result therein and optionally the decryptionprivate key X.

It is easy to ascertain that the properties stated hereinbefore requiredfor setting up an electronic vote system, are checked by the methoddescribed above. Indeed, every voter can only vote once, as it is easyto find in the database two signatures issued by a same voter for a samepoll (for a same serial number). In this case, the scrutineer may nottake into account both votes or only count one vote if they areidentical.

Alternatively, in step 64 for inserting a vote in the database 4,verification may be provided as to whether the vote issued by the voterdoes not already exist in the database by searching therein for theparameter T₄ specific to the voter. If it is thereby detected that thevoter has already voted for this poll, the new vote is not inserted intothe database 4.

Subsequently, it is not possible to begin counting the ballots beforethe end of the poll if at least one of the scrutineers observes therule, as the presence of all the scrutineers is required for counting aballot. Finally, the result of the election may be verified by all asthe scrutineers provide all the required elements (in particular thecounting private key) in the database in order to proceed with such averification, and that the verification of a signature is accessible toall by using the public key PK=(n, a, a₀, b, g, h, u) of the reliableauthority. Hence, anybody may perform the counting in the same way asthe scrutineers and therefore make sure that it was performed properly.

The keys of the scrutineers are of course obsolete at the end of thepoll, as they are published.

1. A list signature method comprising: an organizing phase including,for a reliable authority, defining parameters for implementing ananonymous electronic signature, including a private key and acorresponding public key; a phase of registering persons in a list ofmembers authorized to generate an electronic signature specific to themembers of the list, during which each person to be registered,calculates a private key by means of parameters provided by the reliableauthority and by parameters randomly selected by the person to beregistered, and the reliable authority delivers to each person to beregistered, a certificate of membership of the list; a phase of defininga sequence including for the reliable authority, generating a serialnumber to be used in a signing phase; a signing phase during which amember of the list generates and issues a signature specific to themembers of the list, this signature being built so as to contain proofthat the member of the list having issued the signature, has acertificate of membership of the list, and a signature element which iscommon to all the signatures issued by a same member of the list with asame serial number and which contains proof that the serial number wasused for generating the signature; a phase of verifying the issuedsignature, comprising steps of applying a predefined algorithm in orderto show proof that the signature was issued by a person having acertificate of membership of the list, and verifying using saidsignature element that the serial number was used for generating thesignature; a phase of revoking a member of the list in order to remove amember from the list, during which the reliable authority (removes themember to be removed from the list and updates the parameters forimplementing the anonymous electronic signature, in order to take intoaccount the removal of the member from the list; and a phase of updatingcertificates of the members of the list in order to take into accountchanges in the composition of the list.
 2. The method according to claim1, wherein the organizing phase comprises the definition of a commonparameter depending on the composition of the list, the phase forregistering a person in the list comprising the definition of aparameter specific to the person to be registered which is calculatedaccording to the parameter depending on the composition of the list andwhich is integrated into the certificate handed out to the person, theregistering phase comprising a step of updating the common parameterdepending on the composition of the list, the phase of revoking a memberof the list comprising a step of changing the common parameter dependingon the composition of the list, in order to take into account theremoval of the member from the list, and the phase of updatingcertificates of the members of the list including a step for updatingthe parameter specific to each member of the list in order to take intoaccount changes in the composition of the list.
 3. The method accordingto claim 1 or 2, wherein a signature specific to a member of the listand having the certificate comprises parameters T₁, T₂, T₃, such that:T ₁ =A _(i) b ^(ω)(mod n),T ₂ =g ^(ω)(mod n),T ₃ =g ^(e) ^(i) h ^(ω)(mod n), ω being a number randomly selectedduring the signing phase and b, g, h and n being general parameters forimplementing the group signature, such that parameters b, g and h cannotbe inferred from each other by integer power raising modulo n functions,so that the number A_(i), and therefore the identity of the member ofthe list having the certificate [A_(i), e_(i)] cannot be inferred from asignature issued by the member.
 4. The method according to claim 1,wherein the number of the series used for generating a list signature iscalculated as a function of a date of the beginning of the series. 5.The method according to claim 4, wherein the function for calculatingthe number of a series is of the form:F(d)=(H(d))² (mod n) wherein H is a collision-resistant hash function, dis the date of the beginning of the series, and n is a general parameterfor implementing the group signature.
 6. The method according to claim1, wherein a signature issued by a member of the list contains aparameter which is calculated according to the serial number and theprivate key of the signatory member.
 7. The method according to claim 6,wherein the parameter T₄ of a signature issued by a member of the listand depending on the serial number m and on the private key x_(i) of thesignatory member is obtained by the following formula:T ₄ =m ^(x) ^(i) (mod n) n being a general parameter for implementingthe group signature, and the signature comprises proof that theparameter T4 was calculated with the private key xi of the member of thelist who issued the signature.
 8. An electronic voting methodcomprising: an organizing phase of a poll including, for a reliableauthority, defining parameters for implementing an anonymous electronicsignature for being used to sign a ballot, said parameter including aprivate key and a corresponding public key; and assigns of assigningkeys to scrutineers, allowing them to decrypt and verify ballots poll; aphase, of registering voters in a list of voters authorized to generatean electronic signature specific to the members of the list, duringwhich each voter to be registered calculates a private key by means ofparameters provided by the reliable authority and by parameters randomlyselected by the voter to be registered, and the reliable authoritydelivers to each voter to be registered, a certificate of membership ofthe list of voter; a phase of defining a sequence for the electionsincluding, for the reliable authority, generating a serial number to beused in a voting phase; a voting phase during which the voters of thelist of voters sign a ballot by issuing a signature specific to themembers of the list of voters, this signature being built so as tocontain a proof that the member of the list of voters having issued thesignature, has a certificate of membership of the list, and a signatureelement which is common to all the signatures issued by a same member ofthe list with a same serial number and which contains proof that theserial number was used for generating the signature; and a countingphase during which the scrutineers verify the ballots and calculate theresult of the poll according to the contents of the decrypted and validballots, the verification of a ballot comprising steps of applying apredefined algorithm in order to show proof that the signature wasissued by a person having a certificate of membership of the list ofvoters, and verifying using said signature element that the serialnumber was used for generating the signature, in order to detect whethera same voter has issued several ballots for the poll or not; a phase ofrevoking a member of the list of voters in order to remove a member fromthe list, during which the reliable authority removes the member to beremoved from the list of voters and updates the parameters forimplementing the anonymous electronic signature, in order to take intoaccount the removal of the member from the list; and a phase of updatingcertificates of the members of the list of voters in order to take intoaccount changes in the composition of the list.
 9. The voting methodaccording to claim 8, wherein the organizing phase comprises the handingout to each scrutineer of a public key and a private key, the ballotsare encrypted by means of a public key obtained by the product of therespective public keys (yi) of all the scrutineers, and thecorresponding decryption private key is obtained by calculating the sumof the respective private keys of all the scrutineers
 10. The votingmethod according to claim 9, wherein encryption of the ballot is carriedout by means of a probabilistic encryption algorithm.
 11. The votingmethod according to claim 8, wherein the ballots issued by the votes arestored in a public database, in that the result of the verification andcounting of each ballot is stored in the database in association withthe ballot, and in that the private key for decrypting the ballots ispublished.
 12. A server for organizing a list signature comprising meansfor: generating parameters for implementing an anonymous electronicsignature, specific to members of a list, said parameters including aprivate key and a corresponding public key; transmitting each person tobe registered in said list parameters to be used for calculating aprivate key by means of parameters randomly selected by the person to beregistered, and a certificate of membership of the list; generating aserial number to be used by the members registered in said list forgenerating an anonymous signature specific to the members of the list,this signature being built so as to contain a proof that the member ofthe list having issued the signature, has a certificate of membership ofthe list, and a signature element which is common to all the signaturesissued by a same member of the list with a same serial number and whichcontains proof that the serial number was used for generating thesignature; removing a member of the list to be revoked, and updating theparameters for implementing the anonymous electronic signature, in orderto take into account the removal of the revoked member from the list;and updating the certificates of the members of the list each time thecomposition of the list is changed.
 13. A server for organizing anelectronic vote comprising means for: generating during a pollorganization phase parameters for implementing an anonymous electronicsignature for being used to sign a ballot, said parameter including aprivate key and a corresponding public key; generating keys to beassigned to scrutineers, allowing them to decrypt and verify signaturesof ballots issued by voters for the poll, said signature being specificto members of a list of voters; transmitting to each person to beregistered in the list of voters parameters to be used for calculating aprivate key by means of parameters randomly selected by the person to beregistered, and a certificate of membership of the list; generating aserial number specific to the poll, to be used by the members registeredin said list of voters for generating an anonymous signature of a ballotspecific to the members of the list of voters, this signature of aballot being built so as to contain a proof that the member of the listof voters having issued the signature, has a certificate of membershipof the list of voters, and a signature element which is common to allthe signatures issued by a same member of the list of voters with a sameserial number and which contains proof that the serial number was usedfor generating the signature; removing a member of the list of voters tobe revoked, and updating the parameters for implementing the anonymouselectronic signature, in order to take into account the removal of therevoked member from the list of voters; and updating the certificates ofthe members of the list of voters each time the composition of the listfor the poll is changed.
 14. A terminal for generating a list signaturecomprising means for: receiving from a reliable authority parameters tobe used for calculating a private key; calculating a private key bymeans of the received parameters and parameters randomly selected;receiving from the reliable authority a certificate of membership of thelist; receiving a serial number to be used for generating an anonymoussignature specific to the members of the list; generating an anonymoussignature specific to the members of the list, this signature beingbuilt so as to contain a proof that the member of the list having issuedthe signature, has a certificate of membership of the list, and asignature element which is common to all the signatures issued by a samemember of the list with a same serial number and which contains proofthat the serial number was used for generating the signature; verifyinga signature issued by a member of said list by applying a predefinedalgorithm in order to show proof that the signature was issued by aperson having a certificate of membership of the list, and by verifyingusing said signature element that the serial number was used forgenerating the signature; and receiving a new certificate of membershipof the list each time the composition of the list is changed.
 15. Aterminal for issuing an electronic signature of a ballot during anelectronic vote, comprising means for: receiving from a reliableauthority parameters to be used for calculating a private key;calculating a private key by means of the received parameters andparameters randomly selected; receiving from the reliable authority acertificate of membership of a list of voters; receiving a serial numberto be used for generating an anonymous signature of a ballot for saidpoll, said signature being specific to the members of the list ofvoters; generating an anonymous signature specific to the members of thelist of voters, this signature being built so as to contain a proof thatthe member of the list of voters having issued the signature, has acertificate of membership of the list of voters, and a signature elementwhich is common to all the signatures issued by a same member of thelist of voters with a same serial number and which contains proof thatthe serial number was used for generating the signature; verifying asignature issued by a member of said list of voters by applying apredefined algorithm in order to show proof that the signature wasissued by a person having a certificate of membership of the list ofvoters, and by verifying using said signature element that the serialnumber was used for generating the signature; and receiving a newcertificate of membership of the list of voters each time thecomposition of the list of voters is changed.